In this post I will cover my analysis setup in regards to how I have mine configured to capture and consume Sysmon(Windows Logs), Packetbeat, Bro and Procmon. Everyone loves the SysInternals Suite. It comes with an amazing array of analysis tools that have all held the test of time. As with most folks who using the tool suite, Process Monitor is likely in their top 3 favorites. Those that use Procmon regularly likely have their favorite filters and perhaps tools. Many folks use tools like Noriben to get quick hits when running malicious binaries. Noriben is an amazing script that allows you to run Noriben, run your malicious executable and then stop Noriben and review the parsed Procmon output. As always, there’s more than one way to skin a cat.

Continuing my analysis of lateral movement using MMC20.Application (see my previous post), the next logical course was to look in memory and see what I can find. This post will cover my memory findings. I will note that I performed this MMC20.Application abuse and then waited a little while before actually capturing memory.

The other month I read enigma0x3’s excellent post on using MMC20.Application for lateral movement. The MMC20.Application class allows for the interaction and automation of MMC. In enigma0x3’s post he leverages the MMC20.Application class using one of the ActiveView View methods to execute a shell command of his choosing, calc.exe in this instance.
This got me thinking how would I spot this lateral movement method on one of my networks. Clearly, it doesn’t stand out like psexec or some odd service or scheduled task starting up for the first time or at a strange time. So I figured I would test it out myself and see what artifacts I can see.